Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
6
Replies

New to PIX, I Need Help

Go to solution
hx2
Level 1
Level 1

‎10-03-2005 06:29 PM - edited ‎02-21-2020 12:26 AM

I have 2 problems, the first is, I need to set up a ACL that will enable only certain IP addresses access to my internal W2K Terminal Server. My second issue is my PIX seems to just stop working.... meaning, I don't change anything, just all of a sudden, I can't get to the internet... I can't ping my internet router. But when I reload my configuration, everything starts to work again... I am not exactly sure how to trouble shoot this problem. CAN ANYONE HELP ME?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jackko
Level 7
Level 7

‎10-04-2005 12:54 AM

to access an internal server with terminal session,

if you've got only one public ip,

static (inside,outside) tcp 3389 3389 netmask 255.255.255.255 0 0

if you've got more than one public ip,

static (inside,outside) netmask 255.255.255.255 0 0

regardless which static command you use, you still need to apply the following:

access-list 100 permit tcp eq 3389; or

access-list 100 permit tcp eq 3389

access-group 100 in interface outside

clear xlate

may i suggest that allowing terminal session directly from internet is not very secured. you may configure remote vpn client access or alternatively, manipulate the standard port number so that hacker will not discover the port as easy.

e.g.

static (inside,outside) tcp 10000 3389 netmask 255.255.255.255 0 0

access-list 100 permit tcp eq 10000

access-group 100 in interface outside

with the commands above, the trusted remote user needs to point to tcp port 10000 instead of default port 3389 when connecting to the server.

to establish a terminal session with a specific port:

:10000

regarding the connectivity issue, are you using pix501? if so, do a "sh ver" to verify the internal user licence. you may have a 10 or 50 internal user licence.

View solution in original post

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to jackko

‎10-13-2005 06:31 PM

just wondering if the internet issue still bothering you.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jackko
Level 7
Level 7

‎10-04-2005 12:54 AM

to access an internal server with terminal session,

if you've got only one public ip,

static (inside,outside) tcp 3389 3389 netmask 255.255.255.255 0 0

if you've got more than one public ip,

static (inside,outside) netmask 255.255.255.255 0 0

regardless which static command you use, you still need to apply the following:

access-list 100 permit tcp eq 3389; or

access-list 100 permit tcp eq 3389

access-group 100 in interface outside

clear xlate

may i suggest that allowing terminal session directly from internet is not very secured. you may configure remote vpn client access or alternatively, manipulate the standard port number so that hacker will not discover the port as easy.

e.g.

static (inside,outside) tcp 10000 3389 netmask 255.255.255.255 0 0

access-list 100 permit tcp eq 10000

access-group 100 in interface outside

with the commands above, the trusted remote user needs to point to tcp port 10000 instead of default port 3389 when connecting to the server.

to establish a terminal session with a specific port:

:10000

regarding the connectivity issue, are you using pix501? if so, do a "sh ver" to verify the internal user licence. you may have a 10 or 50 internal user licence.

0 Helpful

Go to solution
hx2
Level 1
Level 1
In response to jackko

‎10-04-2005 05:49 AM

I am using a PIX515E... I was wondering if it has anything to do with the timeout settings.

My settings are...

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

Would it help you help me if I posted my entire configuration?

Thanks

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to hx2

‎10-04-2005 06:54 AM

these settings are default and it shouldn't cause any issue, as i have never manipulate the settings.

0 Helpful

Go to solution
hx2
Level 1
Level 1
In response to jackko

‎10-04-2005 09:54 AM

ok, I will not change any of these settings. Yet, it seems like when there is no activity my connection to the internet goes down. For example, over night my connection to the internet goes down, but like now when I am at the office and all of my users are doing things on the internet, the connection stays up. What would you suggest for troubleshooting? Oh, yeah, by the way, the RDP ACL works fine... thanks a million

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to hx2

‎10-13-2005 06:28 PM

it's good to learn that the rdp is working fine.

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to jackko

‎10-13-2005 06:31 PM

just wondering if the internet issue still bothering you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card